Monday, November 7, 2016

What is Rootkit and how to detect and remove it ?





What is a Rootkit ?


A rootkit is a collection of programs that can give administrator-level access of a computer to the attackers. The term “rootkit” is derived from two words “root” and “kit”. A rootkit is a set of programs or tools that enables root-level or administrator level access of a computer and hence the name.

Attackers usually install a rootkit to mask the intrusion and continue malicious activities in a stealthy manner, as rootkits are considerably difficult to detect and remove.

Attackers usually first obtain user-level access of a computer using some security vulnerabilities or by hacking weak credentials of a system and then gains administrator privileges by exploiting more vulnerabilities.


Purpose of a Rootkit


A rootkit can get installed in a system with several purposes:

  • It can install spyware to secretly spy on the users and steal sensitive data.
  • It can install a keylogger in the system to log keystrokes of a user and steal sensitive credentials.
  • It can install a backdoor to give the attackers full access of the system.
  • Rootkits can even alter system logs to remain as stealthy as possible and infect other systems of the network with malware.


Types of Rootkits


There can be several types of rootkits:


User-mode Rootkit


User-mode rootkits get installed in a system and run on a computer with administrative privileges. They can alter security configurations in a system and hide processes, files, system drives, network ports or even system services. It can automatically launch itself at the time of system start. But, as user-mode rootkits do not alter the Operating System kernel, they are less stealthy and easier to detect and remove comparatively.


Kernel-mode Rootkit


Kernel-mode rootkits are extremely stealthy and can be very difficult to detect and remove. They infect a system and change the Operating System kernel. As a result, the kernel becomes untrusted and cannot detect the rootkit.

Hybrid Rootkit


A hybrid rootkit combines both user-mode and kernel-mode programs. They are widely used by the attackers to secretly infect a system and they are the most common type of rootkits.

Firmware Rootkit


Firmware rootkits can hide themselves in system firmware when the system shuts down and reinstall themselves when the system restarts. This type of rootkits are difficult to remove. If a removal program finds the rootkit and removes it without removing it from the firmware, the rootkit reinstalls itself when the system restarts.


Symptoms of Rootkit Infection


As discussed earlier, rootkits are extremely difficult to detect and remove. But, there can be a number of symptoms which may indicate a rootkit infection:

  • The computer fails to respond to any kind of inputs from the mouse or keyboard and locks up often.
  • System settings change suspiciously without knowledge. For example, screensaver may get changed or the taskbar can hide itself.
  • Network access becomes very slow without any other known reason. This may indicate exfiltration of data from the system to the attackers.


Detection and Removal or Rootkits


There are a number of security tools which can detect and remove quite a number of rootkits if used as per the instructions. A number of such rootkit removal tools are:

  • F-Secure Blacklight
  • RootkitRevealer
  • Windows Malicious Software Removal Tool
  • ProcessGuard
  • Rootkit Hunter
  • Sophos Anti-Rootkit
  • Rootkit Hook Analyzer
  • VICE
  • RAIDE
  • chkrootkit


While removing a rootkit from a system, please read the current instructions of the rootkit detection and removal tool and follow the steps required before, during or after the rootkit removal. Once the rootkit is removed, restart the system and scan again to make sure the rootkit has not reinstalled itself. And, if nothing works, do a repartition, reformat and reinstallation of the system. It is painful, but it works.

Sunday, November 6, 2016

IoT Botnets and DDoS Attacks


Towards the end of October, a huge cyber attack took down the internet in many parts of the world. It was caused by a DDoS attack made by a IoT botnet. But, what is a IoT botnet basically? And, how can it make such a huge DDoS attack? In this article we would take a deeper look into that.


What is IoT Botnet ?






A botnet is basically a group of internet connected devices which are controlled by the attackers for illicit purposes like stealing sensitive information of users, sending spams, generating false traffic to malicious websites using Click Fraud or making a DDoS attack to suspend a service or an entire network completely for an indefinite time.


IoT is made up of not only dedicated computers, but also healthcare devices like cardiac implant monitors, household and industrial appliances, automobiles, mechanical sensors and other smart appliances. When attackers hack IoT devices to create a botnet and exploit that for malicious purposes like making a DDoS attack, it is called a IoT botnet.


To create a IoT botnet, attackers usually infect a group of IoT devices with malware and gains unauthorized access of the devices. These hacked devices are called zombies. The attackers then create a network of these hacked zombie devices and control them to exploit their computation power for illicit purposes like making a DDoS attack.


What is a DDoS Attack ?


A DoS or Denial of Service Attack is an attack which is perpetrated for the purpose of making a target machine or network resource unavailable for its intended users. This attack is usually made to temporarily or indefinitely suspend a service of a host connected to internet.

DDoS Attack or Distributed Denial of Service Attack is a DoS attack in which the attack comes from multiple sources having different IP addresses. Basically, a DDoS attack is a DoS attack in which the attack is perpetrated using several source IP addresses. Using IP address spoofing, the attackers normally hide their own IP addresses, making it extremely hard to catch the attackers.


How can a IoT Botnet be used to make a DDoS Attack ?


A very good example of such IoT botnet is the botnet which affected websites from Twitter to Reddit in October 21, 2016. Attackers used malware named “Mirai” to infect IoT devices and created a huge botnet out of them. The IoT botnet was then used to launch a DDoS attack on the servers of DYN, which provides a dynamic DNS service named DynDNS.


The attackers first scanned for IoT systems with default usernames and passwords or IoT systems configured with weak credentials. Such IoT systems were then infected with Mirai malware to make them part of a IoT botnet. Mirai could break into a wide range of IoT devices from CCTV cameras to DVRs to other smart home appliances to turn them into bots. Attackers created nearly half a million Mirai powered bots in such way. The IoT botnet then exploited the computation power of those hacked IoT devices to make a huge number of requests to servers of DYN, which provides service for dynamic DNS.


When a device wants to access any website or server, it makes a DNS query to resolve the IP address of the server. The DNS servers provide the IP address to the client device, using which the device can connect to the required server. But nowadays, usually Dynamic Host Configuration Protocol or DHCP is used to configure IP addresses of servers, which keep changing over time. And to manage that, so that DNS servers can always point to the correct IP addresses, Dynamic DNS is used.


DYN provides Dynamic DNS services to websites like Amazon, Spotify and Twitter. As a result, when the IoT botnet attacked the servers of DYN, those websites went down, creating a huge internet outage. In fact, the IoT botnet was so huge that it started making tens of millions of requests at the same time to the servers of DYN to suspend its services.


There are a number of other IoT botnets also, which hack the IoT systems and exploit them for malicious purposes. Bashlight and Aidra are two of them.


How to secure IoT Devices ?


The good thing is, we can always take a couple of simple steps to secure the IoT devices.

  • Always remember to change the default passwords of IoT systems while configuring it. When attackers try to hack a IoT device, the first thing they do is to try a list of easily available default usernames and passwords of devices to gain access.
  • Do not keep weak passwords. You can find a simple suggestion on how to create a strong password and remember it efficiently at the same time here: How to create a Strong Password
  • Enable 2 Factor Authentication wherever possible.
  • Update firmware of IoT devices regularly. More updated a firmware is, lesser are its security vulnerabilities.
  • Enable Firewalls and IDPS wherever possible.
  • Please make sure only the necessary ports of the IoT devices are open and exposed outside.
  • Please make sure network ports or services are not exposed to the internet via UPnP.
  • Use accepted encryption standards and proprietary encryption protocols to encrypt data in IoT systems.
  • Please ensure physical security of IoT devices. Please make sure data storage medium cannot be easily removed and only the external ports that are necessary are used.


DoS Attacks and Prevention


DoS attacks are one of the most serious threats of today. We often hear about DoS attacks that temporarily or indefinitely suspend a service or an entire network. How are these DoS attacks perpetrated and how can we prevent them? In this article we would discuss about that.


What are a DoS and a DDoS Attack ?


A DoS or Denial of Service Attack is an attack which is perpetrated for the purpose of making a target machine or network resource unavailable for its intended users. This attack is usually made to temporarily or indefinitely suspend a service of a host connected to internet.

DDoS Attack or Distributed Denial of Service Attack is an attack in which the attack comes from multiple sources having different IP addresses. Basically, a DDoS attack is a DoS attack in which the attack is perpetrated using several source IP addresses. Using IP address spoofing, the attackers normally hide their own IP addresses, making it extremely hard to catch the attackers.



Effects of DoS Attacks


As a result of a DoS attack, you may see:

  • Unusually slow network performance.
  • Unavailability of a particular website.
  • Dramatic increase of number of spam emails received.
  • Disconnection of internet connection.

The effects can be sometimes long term or even for indefinite time.


Different Types of DoS Attacks


There are different types of DoS Attacks. Let's understand what each type of DoS Attack does:

UDP Flood Attack


UDP Flood Attack is an attack which floods random ports of a remote host with a large number of UDP packets. This makes the host to repeatedly check the application which is listening to the port and to reply with ICMP Destination Unreachable packets when no application found. As a result, the host ends up exhausting considerable amount of its resources and leads to a DoS Attack.

Internet Control Message Protocol Flood or ICMP Flood


Smurf Attack is this type of attack. In these attacks, the attacker sends lots of ICMP broadcast packets forging the source address of the victim. As a result, all the computers in the network send overwhelming number of replies to the victim computer. As a result, the victim computer ends up consuming all its network banwidth in sending replies and its resources become unavailable for legitimate purposes

Ping Flood


In this attack, the attacker sends a large number of ICMP Echo Request or ping packets to the targeted victim's IP address, mostly by using the flood option of ping. As a result, the victim's machine starts responding to each ICMP packet by sending a ICMP Echo Reply packet and ends up exhausting all its network bandwidth, resulting in a DoS attack.

Ping of Death


A correctly formed ping packet is typically 56 bytes in size. But any IPv4 packet may be as large as 65,535 bytes. If the attacker sends a malformed very large ping packet to the victim's IP address, the IP packet will reach the targeted victim splitting into multiple fragments. When the victim's machine will reassemble the IP fragments, it will end up with IP packet larger than 65,535 bytes. As a result, the victim's computer cannot handle that properly and a buffer overflow will happen. It can result in a system crash and potentially allowing the injection of malicious code. This type of attacks are called Ping of Death.

SYN Flood 


In a SYN Flood, the attacker sends an enormous number of connection request to the victim server, often forging his IP address. As a result, the victim server ends up spawning lots of half open connections, sending back a TCP/SYN-ACK packets and waiting for the response. But as the attacker has forged his IP address, the sent packets end up going to wrong IP addresses and the server never gets a reply. But, these half-open connections saturate the maximum number of open connections the server can have and the server can no more respond to legitimate requests, resulting in a DoS attack.

Other Application Level Flood  


In this sort of attacks, the attacker floods the victim machine with legitimate looking requests like database lookup, search requests etc. It exploits few conditions like buffer overflow, and fills up the diskspace of the victim machine or consume all its memory and CPU cycles. As a result, the victim machine ends up exhausting all its computational resources and results in a DoS Attack.

Banana Attack 


In this attack, the attacker redirects outgoing messages from the victim machine back to the machine itself. As a result, the machine ends up exhausting its own network bandwidth and becomes inaccessible to outside network access, resulting in a DoS attack.

Slowloris  


In this attack, the attacker's computer opens many connections to the victim machine's webserver and try to keep them open as long as possible. It mainly opens connections to the victim web server and sends partial request. Periodically, it sends subsequent HTTP headers, but never completes those requests. As a result, the victim webserver keeps maximum possible connections open and becomes inaccessible for legitimate connection requests.

NTP Amplificaion Attack 


NTP or Network Time Protocol is a protocol used by machines connected to the internet to set their clocks accurately. These NTP Servers are publicly accessible and can easily be found with tools like MetaSploit and NMAP. NTP Amplification Attack is an attack in which the attacker exploits these publicly available NTP Servers and sends lots of UDP packets to the victim machine. As a result, the victim machine ends up sending long replies which exhausts its resources.

HTTP Flood 


HTTP Flood Attack is an attack in which the attacker sends lots of legitimate looking malicious HTTP GET or HTTP POST requests to a webserver. These requests consume significant amount of server's respurces. As a result, the webserver ends up exhausting its resources and results in a DoS attack.

Zero-day DoS Attack 


In this type of attacks, the attacker exploits vulnerabilities of a software for which no patch is yet released and performs the DoS attacks. This is quite a popular attack for attackers.

DNS Amplification Attack 


In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP address of all the query packets. As a result, the DNS server ends up sending all the responses to the victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its bandwidth.

CHARGEN Attack 


CHARGEN is a character generation protocol that listens to port 19 of TCP or UDP and continues to stream random characters until the connection is closed. For UDP, it responds to a request with up to 512 byte response. In CHARGEN Attack, the attacker sends lots of request with spoofed IP addresses and floods the victim machine with UDP traffic at port 19, resulting in a DoS attack.

DrDoS Attack or Reflection DoS Attack  


In this attack, an attacker spoofs his IP address, and sends lots of request messages to other hosts of the network. As the attacker uses the victim machine's IP address as the source IP address of the outgoing request messages, all the other hosts sends a response to the victim machine. At this point, if the attacker has much higher bandwidth than the victim machine, the victim machine gets lots of reponses which uses up all its network bandwidth. As a result, victim machine becomes no longer available for legitimate requests, resulting in a DoS attack.

SSDP Reflection Attack 


SSDP or Simple Service Discovery Protocol is a protocol which enables network devices to smoothly connect with each other. It is part of the Universal Plug and Play or UPnP protocol standard and is used to connect devices such as computers, printers, internet gateways, Wi-Fi access points, mobile devices, cable modems, gaming consoles etc. In SSDP Reflection Attack, the attacker sends lots of falsified request messages and redirects the amplified responses to the victim machine. As a result, the victim machine gets flooded with the responses, resulting in a DoS attack. The concept of this attack is pretty new and it first appeared in July, 2014.

SNMP Attack 


SNMP or Simple Network Management Protocol is a protocol which is used to manage devices with IP addresses, such as routers, servers, printers, IP video cameras, alarms etc. These devices transmits sensor readings and other variables over the network using this protocol. In SNMP Attack, the attacker sends falsified SNMP requests and redirects the responses to the victim machine, flooding it with responses and thus it results in a DoS attack.

SSL Flood 


When a server provides a secure connection to a client, normally it involves a large amount of processing cycles from the server's side. This type of attacks exploits that scenario. The attacker requests lots of secure connection to the server, and the server loses its processing cycles to respond to the illegitimate connections, not being able to respond to the legitimate ones.

SSL Garbage Flood 


In SSL Garbage Flood, the attacker sends lots of malformed SSL requests to the victim machine. As these SSL requests takes lots of computational resources of the SSL server, the victim machine ends up exhausing all its resources, resulting in a DoS attack.

TCP Null Attack 


In this attack the attacker sends lots of IP packets to the victim machine with the IPv4 headers filled with NULL. The firewalls configured for TCP, UDP and ICMP packets may allow these packets. As a result, the enormous amout of these packets flood the victim machine, consuming its bandwidth.

LAND Attack 


It is a Local Area Network Denial attack. In this attack, the attacker sends a TCP SYN packet to initiate a TCP connection with the victim machine. But the attacker uses the victim machine's IP address as both source and destination address. As a result, the victim machine ends up replying to itself continuously, consuming all its processing power and resulting in a DoS attack.

Teardrop Attacks 


In this attack, the attacker sends a mangled IP packet, with oversized and overlapping payloads, to the victim. If the Operating System of the victim's machine cannot handle it properly, the machine will end up crashing, resulting in a DoS attack.

Peer-to-Peer Attacks  


In this attack, the attacker gets control over the clients of a peer-to-peer file sharing hub. He instructs the clients to disconnect from their peer-to-peer network and connect to the victim's machine instead. This results in hundreds of thousands of connection request to the victim machine. As a result, the victim machine ends up exhausting all its computational resources, resulting in a DoS attack.

Slow Read Attack 


A Slow Read Attack sends a legitimate application layer request to the victim machine, but it reads the responses from the machine very slowly. The attacker advertises a very small number for the TCP Receive Window size and empties the victim machine's receive buffer slowly.

Smurf Attack  


In Smurf Attack, the attacker creates lots of ICMP packets with the intended victim's IP address as source IP address of those packets and broadcasts those packets in a computer network using an IP Broadcast address. As a result, computers in the network sends the responses to the victim machine. And, the victim machine gets flooded with the responses, resulting in a DoS attack.

Fraggle Attack  


This type of attack is similar to Smurf Attack, but instead of ICMP traffic, the attacker sends large number of forged UDP traffic to the victim machine.


Prevention of DoS Attacks


There are a number of ways to prevent DoS attacks. It can be defended in Application Layer, Transport Layer, Network Layer or by profiling allowed traffic and filtering the traffic as per that.


Profiling Application Layer Traffic


DoS Attacks can be defended in Application Layer by profiling incoming traffic to distinguish between humans, human bots or hijacked web browsers and filtering traffic based on that. Several techniques can be used to profile the incoming traffic. Various attributes like IP and ASN informartion, HTTP headers, cookie support variation, JavaScript footprint etc can be used to classify client requests and filter out bots. Often fingerprinting is used to separate good bots from the bad bots. Some DoS defense solutions also maintain visitor state across sessions within an application to isolate real users from repeat offenders.

Using Progressive Challenges


A set of progressive challenges can be used to isolate a legitimate human user from a malicious bot. Transparent challenges like cookie support or JavaScript execution can be used for this purpose. CAPTCHA also can be used, so that a human can complete a CAPTCHA test and move ahead.

Behavioral Anomaly Detection


Anomaly detection rules can be used to analyze behavioral patterns of incoming traffic and detect non-human traffic or traffic from hijacked or malware infected computers, which are often used to carry out a DDoS attack.

Web Application Firewall


Application Layer firewalls can examine the payload of a packet and filter traffic based on that. They can allow or deny certain Application Layer requests coming from a user. Firewalls rules can also be created to block malicious traffic on allowed ports. 

You can find more on how Web Application Firewalls work here : Web Application Firewalls

Deep Packet Inspection


Deep Packet Inspection or DPI can look into the data part of a network packet and filter traffic accordingly. DPI can monitor the payload of each packet and detect protocols, applications, inappropriate URLs and intrusion attempts. It also can produce much more detailed logs, which can help in dealing with security incidents. DPI can eliminate unwanted traffic before it can attack the entire network. 

You can find more on how Deep Packet Inspection works here : Deep Packet Inspection

Using IDS/IPS


IDS/IPS can match the packet signature with existing attack signatures present in a database and filter traffic accordingly. If a database is adequately populated, they can detect and prevent network attacks with much less false positives.

You can find more on how IDS and IPS work here : IDS and IPS

High Capacity Network Bandwidth


High capacity network bandwidth helps in preventing Layer 3 and Layer 4 DDoS attacks up to a great extent. Layer 3 or Layer 4 DDoS attacks are usually possible if the network bandwidth of the attackers is more than that of the attacked network. Hence, increasing the capacity of the network bandwidth does help.


This article was intended to give a brief overview of DoS attacks and its prevention. Hope it helped.